Article ID: 2535227 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

When a federated user signs in to access a Microsoft Office 365 resource, the user is prompted unexpectedly to enter his or her credentials. After the user enters his or her credentials, the user is granted access to the Office 365 service.

Note Not all federated user authentication experiences are without a credential prompt. In certain scenarios, it is by design and expected that federated users are prompted to enter their credentials. Make sure that the credential prompt is unexpected before you continue.

CAUSE

This issue may occur for internal domain clients if one or more of the following conditions are true:
  • An internal client resolves the Active Directory Federation Services (AD FS) endpoint to the IP address of the AD FS proxy service instead of to the IP address of the AD FS federation service.
  • The security settings in Internet Explorer are not configured for single sign-on to AD FS.
  • The proxy server settings in Internet Explorer are not configured for single sign-on to AD FS.
  • The Internet Information Services (IIS) authentication settings on the AD FS server are configured incorrectly.
  • The web browser does not support integrated Windows authentication.
  • The client computer cannot connect to the on-premises Active Directory domain.

SOLUTION

To resolve this issue, use one or more of the following methods, as appropriate for your situation.

Method 1: Make sure that the DNS server has a host record for the AD FS endpoint

Make sure that the DNS server has a host record for the AD FS endpoint that is appropriate to the client computer that is experiencing this issue. For internal clients, this means that the internal DNS server should resolve the AD FS endpoint name to an internal IP address. For Internet clients, this means that the endpoint name should resolve to a public IP address. To test this on the client, follow these steps:
  1. Click Start, click Run, type cmd, and then press Enter.
  2. At the command prompt, type the following command, where the placeholder sts.contoso.com represents the AD FS endpoint name:
    nslookup sts.contoso.com
  3. If the output of the command shows an incorrect IP address, update the A record on the internal or external DNS server. For more information about how to do this, see the following article in the Microsoft Knowledge Base:
    2419389 Internet browser can't display the AD FS webpage when a federated user tries to sign in to Office 365, Windows Azure, or Windows Intune

Method 2: Check the local intranet zone and proxy server settings in Internet Explorer

Use one of the following procedures, as appropriate for your situation.

Procedure A

Check the local intranet zone and proxy server settings in Internet Explorer. To do this, follow these steps:
  1. Start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Security tab, click the Local intranet zone, and then click Sites.
  4. In the Local intranet dialog box, click Advanced. In the Websites list, make sure that an entry (such as sts.contoso.com) exists for the fully qualified DNS name of the AD FS service endpoint.
  5. Click Close, and then click OK.

    Note Use the following additional steps only if a network administrator configured a web proxy server in the on-premises environment:
  6. Click the Connections tab, and then click LAN Settings.
  7. Under Automatic configuration, click to clear the Automatically detect settings check box, and then click to clear the Use automatic configuration script check box.
  8. Under Proxy server, click to select the Use a proxy server for your LAN check box, type the proxy server address and the port that it uses, and then click Advanced.
  9. Under Exceptions, add your AD FS endpoint (such as sts.contoso.com).
  10. Click OK three times.

Procedure B

Manually configure the security settings for the security zone in Internet Explorer. The default security setting that causes the local intranet zone not to prompt for Windows authentication can be configured manually for any security zone in Internet Explorer. To customize the security zone of which the AD FS service name is already a part, follow these steps:

Warning We highly discourage this configuration because it could result in the unintended submission of Integrated Windows Authentication traffic to websites.
  1. Start Internet Explorer.
  2. On the Tools menu, click Internet options.
  3. Click the Security tab, select the security zone in which the AD FS service name is already contained, and then click Custom level.
  4. In the Security Settings dialog box, scroll to the bottom to locate the User Authentication entry.
  5. Under Logon, click Automatic logon with current user name and password.
  6. Click OK two times.

Method 3: Check the IIS authentication settings for the AD FS federation service and proxy service

Verify that the IIS authentication settings for the AD FS federation and proxy services are configured correctly. For more information, see the following article in the Microsoft Knowledge Base:
2461628 A federated user is repeatedly prompted for credentials during sign-in to Office 365, Windows Azure, or Windows Intune

Method 4: Use Internet Explorer or a third-party web browser

Use Internet Explorer or a third-party web browser that supports integrated Windows authentication.

Method 5: Verify connectivity to Active Directory

Log off from the client computer and then log on as an Active Directory user. If logon is successful, verify the connectivity to Active Directory by using the Nltest command-line tool. To use the Nltest tool, you must have Windows Server 2003 Support Tools installed on the computer.
  1. At a command prompt, type the following command, and then press Enter:
    Nltest /dsgetdc:<FQDN Of Domain>
    If the settings are correct, you receive output that resembles the following:
    DC: \\DC.contoso.com Address: \\192.168.1.10 Dom Guid: a3bd534c-19e9-4880-81ad-a8ee34cd4526 
    Dom Name: contoso.com Forest Name: contoso.com Dc Site Name: Default-First-Site-Name 
    Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE 
    DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully
  2. Check the computer's site membership. To do this, type the following command, and then press Enter:
    nltest /dsgetsite
    A successful result resembles the following:
    Default-First-Site-Name The command completed successfully

MORE INFORMATION

Accessing Office 365 resources by using a non-federated account or a federated account from a public Internet connection may not result in a single sign-on experience. This is by design in Office 365.

The Office 365 experience for logging on to Microsoft Outlook connections is also not expected to be a single sign-on experience.

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.

Properties

Article ID: 2535227 - Last Review: February 25, 2014 - Revision: 33.0
Applies to
  • Windows Azure
  • Microsoft Office 365
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • CRM Online via Office 365 E Plans
  • Windows Azure Recovery Services
Keywords: 
o365 o365e o365062011 pre-upgrade o365022013 after upgrade o365a o365m KB2535227

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com